SAN FRANCISCO – Calls for governments and info sec pros around the world to band together to fight nation-state and criminal cyber attacks increased here from keynote speakers at the opening of the annual RSA Conference.

“Cyber space is the new [international] battlefield,” warned Microsoft president and chief legal officer Brad Smith. “The world of potential war has migrated from land to sea to air and now cyberspace.”

Microsoft’s Brad Smith. Photos by Howard Solomon

World governments for years were committed to protecting citizens in times of war through laws like the 1949 Geneva Conventions he said, “but when it comes to cyber attacks nation-state hacking has evolved into attacks on civilians in times of peace.”

“Now is the time for us to call on governments to protect civilians on the Internet in times of peace.”

That includes a “digital Geneva Convention that will call on the world’s governments to pledge that they will not engage in cyber attacks on the private sector, that they will not target civilian infrastructure, whether electrical, economic or political variety. We need governments that will pledge instead to work with the private sector to respond to vulnerabilities, that they will not stockpile vulnerabilities.

He also called for the creation of an international independent organization, similar to the International Atomic Energy Agency to promote the non-military use of nuclear technology, that will bring together “the best and the brightest” from the private sector, academia and public sector to identify nation-state attackers. “That is the only way governments will come to recognize that this is not a program that will continue to pay off.”

Security professionals were able to lock down certain points of attack in 2016, but cyber criminals found a way in through different methods, according to network security company SonicWall's 2017 Annual Threat Report.

He didn’t offer details of how the agency would work or what sanctions it could impose other than publicity.

He noted that in 2015 experts from 20 countries have already created draft principles, and that former President Barack Obama and China agreed to forbid their governments from going after the cyber theft of intellectual property. That agreement was endorsed by the G20 group of nations.

“There’s an opportunity for the new president to sit across the table from the president of Russia and take another step forward to address the attacks that concern the world.

But he also said the private sector also has to work better to share threat intelligence.

Later Congressman Michael McCall, chair of the House of Representatives Homeland Security committee, told the conference that the U.S. needs to work with its NATO allies “to win the war in cyber space.”

“We cannot allow any foreign adversaries to use cyber intrusions to meddle in our domestic affairs, and especially into our democratic process,” McCall said. The threat of sanctions and other penalties, which President Barack Obama imposed on Russia for the attacks, should be used, he added. “Russia is a perfect example. We must continue to call out Moscow for election interference … We’ve got to say enough is enough.”

He painted a grim picture of the online world. “We are in the fight of our digital lives and we are not winning … It’s clear to me that our adversaries are turning digital breakthroughs into digital bombs. From Russian and Chinese hacking to brand-name headaches our cyber rivals are overtaking our defences. Nation-states are using cyber tools to steal our country’s secrets and copy our intellectual property. Faceless hackers are snatching our financial data and blocking access to our healthcare information, and terrorists are abusing encryption and social media to crowdsource the murder of innocent people.”

In addition to standing up to certain countries governments and the private sector have to work more closely together to stop cyber attacks, he said.

However, one cyber expert here says that there are better ways to prevent nation states from launcihng cyber attacks than creating new international cyber institutions: Build better software to prevent breaches.

“I would much rather see the Microsoft’s of the world focus on making their customers safer by making their software harder to exploit,” John Pescatore, a former Gartner security analyst who is now director of emerging security trends at the SANS Institute, said in an interview. “Reduce the vulnerabilities (and) all attacks are harder to launch.”

Governments can do some things, he added, such as better defining an incident as cyber warfare, as opposed to cyber crime. “We know how to deal with international crime,” he said. Law enforcement agencies already work together on that. But he cautioned against calling any attack that comes from another country cyber warfare.

Editor of ITWorldCanada.com and Computing Canada, covering all aspects of enterprise computing, telecommunications, network infrastructure and government IT issues. An IT journalist since 1997, I've written for several of ITWC's sister publications.